ChewBacca malware targets smaller retailers in 11 countries

More frequently associated with space-faring Wookiees, the name ChewBacca has recently entered the lexicon of cybersecurity as the moniker of a malicious software suite. And while the fight against that online menace may involve fewer lasers, for retailers it’s still pretty hairy.

According to RSA FirstWatch, a ring of cyber thieves used the program to attack smaller retailers in 11 countries, successfully stealing information from roughly 49,000 credit and debit cards. The software has been in use since late October of 2013, infecting point-of-sale systems to collect details about the payment cards run through them. In that time around 24 million transactions were logged by the software.

While malware targeting customer data can be relatively sophisticated, RSA says that the virus was basic in its execution. “The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” the RSA Blog says.

ChewBacca did not threaten larger retailers, but the threat of personal information theft is a growing concern for consumers in the wake of similar incidents at Target and Neiman Marcus stores. The incident underscores not only the relative ease with which cybercriminals can steal information, but also the loathsome state of security guidelines that prevent them from doing so.

While the Federal Trade Commission has stepped up recently in attempt to hold organizations accountable to negligent security standards, it does so on a case-by-case basis. Retailers and other organizations still have few guidelines to proactively protect customer info.

RSA has assisted the Federal Bureau of Investigation in stopping the attacks, and has alerted the parties of potentially compromised payment cards.